What should be included in a high-level policy for third-party cybersecurity risks?

1.1k views5 Comments

Director of Information Security in Telecommunication, 10,001+ employees
Third-party risk assessment. Understanding the risk profile considering both the service that will be provided/managed and the security posture of relevant third parties is essential.
Director in Construction, 1,001 - 5,000 employees
I don't think it is a question that can be answered generically.  Your third party policy should indicate that an assessment of risks to your organization needs to be undertaken for third parties and based on the outcome of the assessment proper controls/governance be put in place.  For example if the third party stores confidential information then data management controls needs to be envisioned.  If the third party provides an operationally critical service then BCP/DR testing needs to be considered important.  If the third party supplies products that you use then the supply chain needs to be considered.  Don't forget about the third party's governance of their third parties (fourth, fifth etc party to you).  These all could cause your business concerns due to a cybersecurity issue.
Head of Information Security in Finance (non-banking), 1,001 - 5,000 employees
Our company is approved the standard of third party risk assessment which is included all requirements of cyber security risks. When company is assessed for high risk, Information security team must be conduct security due diligence on that high risk third party company. 
Chief Information Security Officer in Healthcare and Biotech, 1,001 - 5,000 employees
For TPRM policy, the basic need is having quality vendor or partner to maintain the quality business eco system. 
Today's digital Era cybersecurity is one of the most important aspects to consider before having a digital integration. 
The requirements should be the base of cybersecurity should maintain and followed till the time information exchange is happening via digital channels.
Senior Information Security Manager in Software, 501 - 1,000 employees
This should cover all of the main areas around third-party risk:

•    Third Party Service Providers
•    Third-Party Security Requirements
•    Third-Party Access Control
•    Information Exchange
•    Third-Party Contracts
•    Personnel Security
•    Software Procurement
•    Assessment, Monitoring and Audits
•    Contingency Plans
•    Foreign Countries

Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
41.6k views131 Upvotes319 Comments

Strategies to prevent ransomware from impacting data backup & recovery27%

What it will take to restore minimal operations after a compromise57%

How prepared the organization is to engage law enforcement in the event of an attack11%

How prepared it is to engage cybersecurity investigators3%

Other (share below)0%